MidnightBSD

Advisories for exiftool_project

CVE-2018-20211 MEDIUM

ExifTool 8.32 allows local users to gain privileges by creating a %TEMP%\par-%username%\cache-exiftool-8.32 folder with a victim's username, and then copying a Trojan horse ws32_32.dll file into this new folder, aka DLL Hijacking. NOTE: 8.32 is an obsolete version from 2010 (9.x was released starting in 2012, and 10.x was released starting in 2015).

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-427,

Products Affected

Vendor Product Version
exiftool_project exiftool 8.32
CVE-2021-22204 MEDIUM

Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9
cve@gitlab.com 6.8 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L 2.5 3.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-94,CWE-94,

Products Affected

Vendor Product Version
fedoraproject fedora 32
fedoraproject fedora 34
fedoraproject fedora 33
debian debian_linux 9.0
exiftool_project exiftool *
debian debian_linux 10.0
CVE-2022-23935 HIGH

lib/Image/ExifTool.pm in ExifTool before 12.38 mishandles a $file =~ /\|$/ check, leading to command injection.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,

Products Affected

Vendor Product Version
exiftool_project exiftool *
CVE-2026-3102 HIGH

A vulnerability was determined in exiftool up to 13.49 on macOS. This issue affects the function SetMacOSTags of the file lib/Image/ExifTool/MacOS.pm of the component PNG File Parser. This manipulation of the argument DateTimeOriginal causes os command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 13.50 is capable of addressing this issue. Patch name: e9609a9bcc0d32bd252a709a562fb822d6dd86f7. Upgrading the affected component is recommended.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cna@vuldb.com 6.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L 2.8 3.4

CVSS 2.0

Severity: HIGH

Problem Type: CWE-77,CWE-78,CWE-78,

Products Affected

Vendor Product Version
exiftool_project exiftool *